A data protection authority in any EU country can initiate a data privacy breach procedure against Facebook, even if the European branch of the US giant is headquartered in Ireland.
This is the opinion of Michal Bobek, Advocate General at the Court of Justice of the European Union. Soon, the CJEU will issue a judgment on the dispute between Facebook and the data protection authority in Belgium, the equivalent of the Polish President of the Office for Personal Data Protection (case C-645/19).
If the CJEU rules in line with the recommendation of its advocate general, such Polish PUODO authorities will be able to bring cases for non-compliance with the EU General Data Protection Regulation (GDPR) against Facebook and other tech giants overseas such as Google, Twitter and Apple, which also have their own headquarters in Ireland. The giants will face orders to pay fines worth billions of euros.
Read also: CJEU: Courts in the EU may order Facebook to remove illegal comments around the world
The dispute started in September 2015. The data protection authority in Belgium initiated proceedings before the local courts against companies belonging to the Facebook group: Facebook Inc, Facebook Ireland Ltd, which is the group’s main organizational unit in the European Union, and Facebook Belgium BVBA. He demanded that Facebook be ordered to stop placing cookies without the consent of Internet users in Belgium, and the excessive collection of data using social plugins and pixels on third party websites. In addition, the supervisory authority requested the destruction of all data of Internet users in Belgium collected by Facebook using cookies and social plugins.
Proceedings in this case are currently pending before the Court of Appeal in Brussels. However, their scope was limited to Facebook Belgium, as the court found that it did not have jurisdiction to hear actions brought against Facebook Inc and Facebook Ireland Ltd., which are based outside Belgium.
FB: Only Ireland can stop us
Facebook Belgium takes the position that with the application of the provisions of the General Data Protection Regulation (GDPR), the Belgian data protection authority has lost the right to pursue any legal proceedings against Facebook. Why? Because under the rule of the GDPR, only the data protection authority of the state in which Facebook has its main organizational unit in the European Union is entitled to initiate court proceedings against Facebook for a breach of the GDPR in connection with cross-border data processing. In the case of the EU, Facebook is headquartered in Dublin, Ireland, because Facebook Ireland Ltd., a regional branch of Mark Zuckerberg’s empire, is located there. And that means – according to Facebook – that only the Irish data protection authority could raise GDPR-related requests in the EU.
A Belgian court decided to ask the EU Court about this issue, and the EU Court asked for the problem of its Advocate General to be analyzed.
The lead authority can do more
Michal Bobek admitted that, in accordance with the GDPR, the lead data protection authority has general competence to initiate court proceedings regarding an infringement of the provisions of the GDPR with regard to cross-border data processing. It follows that other DPAs have more limited powers in this regard.
– The GDPR grants each data protection authority the right to initiate legal proceedings for possible infringements affecting their territories. This power is clearly limited in the case of cross-border data processing, precisely in order to give the lead data protection authority the ability to perform the tasks entrusted to it, the spokesman pointed out.
Michal Bobek emphasized that data subjects may themselves initiate court proceedings against controllers and processors before, inter alia, the courts of the Member State in the country where they are habitually resident or established. On the other hand, complaints against a data protection authority must be brought in the Member State where it is established, even if the lead authority is located in another Member State. If such a complaint is rejected or dismissed, the supervisory authority shall adopt a decision on the matter and notify the complainant thereof. This allows him to initiate proceedings in his Member State of habitual residence or establishment.
There are special cases
The Advocate General indicated that a lead data protection authority cannot be considered to be the sole enforcer of the GDPR for cross-border data processing. In line with the principles and timescales provided for in the GDPR, it should cooperate closely with other data protection authorities concerned and not ignore their comments.
– National data protection authorities, even if they do not act as lead authority, may nevertheless, in certain situations, initiate proceedings in the courts of their respective Member State in the event of cross-border data processing. The Advocate General states that these are, in particular, situations where national data protection authorities:
1) take actions that do not fall within the scope of the application of the GDPR;
2) investigate the same or similar cross-border data processing activities carried out by public authorities in the public interest or by administrators from outside the Union;
3) take urgent action;
4) they enter the case as a result of the lead authority’s decision not to deal with the case.
– The provisions of the GDPR therefore allow a data protection authority operating in a given Member State to initiate proceedings before a court of that country regarding an alleged breach of the GDPR on cross-border data processing, even if that authority is not the lead authority. The condition is, however, that such action is taken in the situations indicated in the GDPR and in accordance with the procedures specified therein, explained Michal Bobek.
*The article has been translated based on the content of https://www.rp.pl by www.rp.pl. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!